You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2005/04/08 05:49:05 UTC

[Bug 4249] New: DNS timeouts cause broken RBL/URIBL lookups and false positives

http://bugzilla.spamassassin.org/show_bug.cgi?id=4249

           Summary: DNS timeouts cause broken RBL/URIBL lookups and false
                    positives
           Product: Spamassassin
           Version: 3.0.2
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Libraries
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: jifl-sabugzilla@jifvik.org


When Net::DNS::Resolver is initialised by Dns.pm, it sets some variables such as
retrans to 0, udp_timeout to 3, and persistent_udp to 1. However this can have
bad consequences.

Shortly after spamassassin starts processing a message it does what appears to
be a DNS lookup of the first Received header hostname (I'm not sure about that
but it doesn't matter).

This calls the Net::DNS::Resolver search() method. That in turn, within
Net::DNS, calls a function called send_udp() which will send a UDP packet and
wait for the UDP timeout to pass, set by spamassassin to 3 secs. 

However, if the DNS response is longer than 3 seconds we get a timeout. That
shouldn't matter, but it does.

The next DNS lookup that happens for me is the URIBL checks, i.e. something like
foo.com.multi.surbl.org. But this time Plugin/URIDNSBL.pm uses the Resolver
function bgsend() - a background send function - to do the lookup. 

However what then happens is that due to persistent_udp being set, the same UDP
socket is reused as for the previous query that timed out. Then later in
URIDNSBL.pm's complete_dnsbl_lookup(), it will read back the first response it
gets from that socket. However that response is not infrequently, for me at
least, a response to the _first_ DNS query. That is not the expected one.

What is more, that first query response will be an A record lookup of a host
that does exist, and will return a valid A record, so the URIDNSBL.pm code will
think that the domain it was looking up _is_ in various URIBLs as it thinks it
got an A record response to the URIBL lookup. With the default score set, that
tends to add 6.7 to the score (URIBL_PH_SURBL,URIBL_WS_SURBL,URIBL_OB_SURBL),
and easily makes the mail falsely be considered spam.

And all because a single DNS lookup took longer than 3 seconds. That could
happen a lot for people with slow or (temporarily) congested links, or who
happen to lookup a name that takes a while. Or indeed where the UDP packet gets
dropped due to congestion, which is very much allowed.

I think the best all round solution is for persistent_udp (and probably _tcp) to
be disabled. Then port numbers will never be reused.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 4249] DNS timeouts cause broken RBL/URIBL lookups and false positives

Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4249


spamassassin@dostech.ca changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dev@spamassassin.apache.org
         AssignedTo|dev@spamassassin.apache.org |spamassassin@dostech.ca
   Target Milestone|Undefined                   |3.1.0




------- Additional Comments From spamassassin@dostech.ca  2005-04-07 21:00 -------
THANKS!

This explains bug 3997.

Looking at this now.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are on the CC list for the bug, or are watching someone who is.

[Bug 4249] DNS timeouts cause broken RBL/URIBL lookups and false positives

Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4249


spamassassin@dostech.ca changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |DUPLICATE




------- Additional Comments From spamassassin@dostech.ca  2005-04-07 21:55 -------
bug 3997 has the discussion to date

bug 4249 has the cause (I hope!)

*** This bug has been marked as a duplicate of 3997 ***



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

[Bug 4249] DNS timeouts cause broken RBL/URIBL lookups and false positives

Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4249





------- Additional Comments From sidney@sidney.com  2005-04-07 21:19 -------
Finally!!! This does sound like it nails bug 3997. This should be moved over
there by marking this a duplicate and copying Jonathan's description from this
bug into a comment over there, so as not to separate the discussions.

Thank you Jonathan!



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.